MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5
SHA3-384 hash: 4bb71f348951ec3cfcdbd50c802ce784d03bbea74a5e32b1e1c5abb214114238169839aa30eccf38b2399db58c92b2fc
SHA1 hash: 33ea6cd06f21474da8bd6dd9290765f3a33518dc
MD5 hash: b3b9a674a9f1a42a359d26bc0ca832a7
humanhash: green-papa-fish-september
File name:IMG-SMH-2021-1011-Fiyat Talebi 100967-TRK.pdf(56KB).exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:446'464 bytes
First seen:2021-11-10 07:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:2CJxR9tD00FXVyFW4h6R2I1n5YuHI/wJJ:2CJxTC0FlwWu6f8/
Threatray 2'101 similar samples on MalwareBazaar
TLSH T14794013533A4D76BC93D8B3C90B5C07A03B5F46E2856D6ADAF8160DB7B737011920AA7
Reporter lowmal3
Tags:exe XpertRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204634/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1098.20000.18648.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618b7538175442ca93aa4d0c/reports/397453b7-90e5-4498-bdff-955d9f61da45/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68ce6422-25ec-47c9-8620-310cf529a5c4
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886526
Signature
.NET source code contains potential unpacker
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518999 Sample: IMG-SMH-2021-1011-Fiyat Tal... Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 44 kapasky-antivirus.firewall-gateway.net 2->44 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Detected unpacking (creates a PE file in dynamic memory) 2->58 60 7 other signatures 2->60 9 IMG-SMH-2021-1011-Fiyat Talebi 100967-TRK.pdf(56KB).exe 3 2->9         started        13 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 3 2->13         started        15 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 2 2->15         started        17 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 2 2->17         started        signatures3 process4 file5 38 IMG-SMH-2021-1011-...K.pdf(56KB).exe.log, ASCII 9->38 dropped 68 Injects a PE file into a foreign processes 9->68 19 IMG-SMH-2021-1011-Fiyat Talebi 100967-TRK.pdf(56KB).exe 1 1 9->19         started        70 Multi AV Scanner detection for dropped file 13->70 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->72 22 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 1 13->22         started        24 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 1 15->24         started        26 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 15->26         started        28 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe 17->28         started        signatures6 process7 signatures8 62 Changes security center settings (notifications, updates, antivirus, firewall) 19->62 64 Disables user account control notifications 19->64 30 iexplore.exe 3 7 19->30         started        process9 dnsIp10 46 kapasky-antivirus.firewall-gateway.net 45.133.1.51, 4000 DEDIPATH-LLCUS Netherlands 30->46 40 L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe, PE32 30->40 dropped 42 C:\...\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0, data 30->42 dropped 48 Creates an undocumented autostart registry key 30->48 50 Creates autostart registry keys with suspicious names 30->50 52 Writes to foreign memory regions 30->52 35 notepad.exe 30->35         started        file11 signatures12 process13 signatures14 66 Deletes itself after installation 35->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 05:32:02 UTC
AV detection:
15 of 44 (34.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dc7kbs4u47escnmi6lulkagwn5drnqhgvynwr3dcxiummtdcpssq._file
Verdict:
malicious
Similar samples:
0d83906aa1c84a83028cd12f8ef9582a260f94e56c4254cb35735b98d7266b8e
XpertRAT
236e7cb220d65dd5fe8a2f9aa0274331cc0e0f7e724839a76423dbb1a0cde625
XpertRAT
23c589943fbd3d7837f1ddf96cb86c17f62973987f6bac016ebe4dd3c01a1915
XpertRAT
3049f3aa728a2c0f15dea40eb8d46c44ab1618cb8f2a1bb739cc6760aea303f5
XpertRAT
35f0363054ae6e982853cf704f9ad7161a3c054463a2fbc2a6582c55a6eb76a2
XpertRAT
676ef153270573032364c1e312a0619c99d2da980114e66cfb302ff07e480b17
XpertRAT
81420f42ee455db2a99c1f85b03fb213083e03c2f329f1919b9dc3044de89555
XpertRAT
d6db1886657d4ec8e9779d26d1550df019f40c3960d2aa6b1cd01381a6d88af8
XpertRAT
ebf827e50998dc2a8476b123b502efc589577ad8cd9f27dec82a19e50160f3c0
XpertRAT
ffbad515588df376e86216b15b2a092570d1dc91116e787de8648060ef06895c
XpertRAT
+ 2'091 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat trojan
Link:
https://tria.ge/reports/211110-jcdvxsgec5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Windows security modification
Adds policy Run key to start application
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
UAC bypass
Windows security bypass
XpertRAT
Unpacked files
SH256 hash:
7c677467081d07222836efc4b4e057da9d958dc21f43d501278a30391a4476cc
MD5 hash:
95b6f3aa003f7a08099ee5b0de84982e
SHA1 hash:
3e62a94fe391c52ef07e4fb077c05389a9034e16
Link:
https://www.unpac.me/results/c2cf7eed-0c89-4531-86e9-87ffa3d1db01/
SH256 hash:
4dad2df926ed4fe925713eb9b8fdfdade5bd93a587e9fb4e457df784099d510a
MD5 hash:
8bce22a2be10d7426acd3ee15eb8b95e
SHA1 hash:
07da2335f664e16b4c2b66ec3f143f1a278ce074
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/c2cf7eed-0c89-4531-86e9-87ffa3d1db01/
Parent samples :
85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
e4b8184869d65a34fb9e0fb43d8b6c252cb153f7139485e3fde6d02cd6898242
c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa
f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87
18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5
c5a9b54887316170a328f0c1c1adab1db83debfe3b9f922c752c6f090c9abe9b
SH256 hash:
91655863c7906a8d20c7c782144f553c027843a72f2fdab2b1ccc80808083af0
MD5 hash:
b5044dd0e9c91b1a9185d491da7d07f2
SHA1 hash:
a9ff8129771d85f77b6a145f750c70e53f51125e
Link:
https://www.unpac.me/results/c2cf7eed-0c89-4531-86e9-87ffa3d1db01/
SH256 hash:
676d6e47958e0ad1ad39eef2baa3da6248bd0ac87d923406d3c72dd668b792b9
MD5 hash:
7580238247ec947a732f539c562a5ef9
SHA1 hash:
95cf36c7ca64e08e6257d2e7c1835191219c2614
Link:
https://www.unpac.me/results/c2cf7eed-0c89-4531-86e9-87ffa3d1db01/
SH256 hash:
18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5
MD5 hash:
b3b9a674a9f1a42a359d26bc0ca832a7
SHA1 hash:
33ea6cd06f21474da8bd6dd9290765f3a33518dc
Link:
https://www.unpac.me/results/c2cf7eed-0c89-4531-86e9-87ffa3d1db01/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/18bea0cb94e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

Executable exe 18bea0cb94e7c9213588f2e8b500d66f4716c0e6ae1b68ec62ba28c64c627ca5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/204634/

Comments